Microsoft promises IIS bug patch

Microsoft Corp. last week disclosed that it is working to fix a bug in its popular Web server software, but observers say the patch is unlikely to be ready in time for Tuesday's regular monthly patch release.

Microsoft last Tuesday issued a formal security advisory for the vulnerability in three older versions of its Internet Information Services server, a day after the exploit code went public.

On Wednesday, it issued the advisory that the patch was in development.

As a result of the flaw, IIS's FTP server fails to properly parse specially crafted directory names, allowing hackers to force a stack buffer overflow and then inject malicious code onto the Web server.

In the short term, Microsoft urged administrators responsible for IIS 5.0, 5.1 and 6.0 Web servers to make one of several suggested defensive moves, any one of which will stymie the currently known exploits.